You’ve made the decision to create a product security program, congratulations! Here are five recommendations to help you on your journey:
Leadership commitment
Leadership commitment is crucial. Building a product security program will require changes in ways of working, and with the support of leadership, the initiative will have a much higher chance of success. Regularly update them with metrics, progress, and ask for their prioritization to ensure their commitment.
Relevant metrics
Decide on metrics that are specifically tailored to the success of your product security program. Create a set of KPIs and KRIs and measure them early on in the creation of your program to have a benchmark to measure success.
Utilize frameworks
Utilize known frameworks to avoid reinventing the wheel. For example, using OWASP SAMM can help you create a good GAP analysis to find out where you need to focus your efforts.
Introduce security champions
Build your network by establishing a center of excellence and nominating your security champions in each team. Ensure that this role is not appointed, but nominated based on interest and motivation. Also, make sure that this role has some level of autonomy.
Automate
Automate wherever possible by reviewing your CI/CD pipeline and implementing automated tools. This will allow you, your team, and your security champions to focus on things that really matter, such as secure coding principles and threat modeling.
These are just a few recommendations to consider when implementing a product security program.
What is your best advice for implementing and improving a product security program?
David Andersson
Engineering leader, information security architect
20 years experience within the field
Business aligned IT and information security expert with both passion and talent for designing and implementing security architecture and governance that build security awareness across the organization. Creates and implements solutions that align with security standards and operational goals.
I will post blogs about things that interest me in the area of Information Security here
⫸ Key skills: Application Security Programs, Information Security Management Systems, Risk Management, Cloud Security, Security Architecture, Security Management
⫸ CISSP, CISM, SCF, ISO 27001 LI
